From 33ebc1b8b67c818fda757aa7e2f9a1185fcbb8b2 Mon Sep 17 00:00:00 2001 From: cclohmar Date: Wed, 18 Mar 2026 14:12:30 +0000 Subject: [PATCH] chore: auto-commit 2026-03-18 14:12 --- wallarm-deploy-ct.sh | 154 ++++++++++++++++++++----------------------- 1 file changed, 71 insertions(+), 83 deletions(-) diff --git a/wallarm-deploy-ct.sh b/wallarm-deploy-ct.sh index 9855d6e..e00162e 100644 --- a/wallarm-deploy-ct.sh +++ b/wallarm-deploy-ct.sh @@ -1,11 +1,9 @@ #!/bin/bash # ============================================================================== -# Sechpoint Wallarm Smart Deployer - Manual Binary Edition (PoC Optimized) +# SECHPOINT WALLARM SMART DEPLOYER - V6 (FULL BINARY INSTALL + PORT SELECTION) # ============================================================================== -# --- Styling --- -YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m' - +YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'; BOLD='\033[1m' LOG_FILE="/var/log/wallarm-deploy.log" EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com") US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com") @@ -15,70 +13,70 @@ sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE" exec > >(tee -a "$LOG_FILE") 2>&1 clear -echo -e "${BLUE}====================================================${NC}" -echo -e "${BLUE} Wallarm Manual Binary Container Deployer ${NC}" -echo -e "${BLUE}====================================================${NC}" +echo -e "${BLUE}${BOLD}==========================================================${NC}" +echo -e "${BLUE}${BOLD} Wallarm Full Binary & Container Deployer V6 ${NC}" +echo -e "${BLUE}${BOLD}==========================================================${NC}" # --- 1. PRE-FLIGHT & CONNECTIVITY --- check_connectivity() { echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}" - # 1. Cloud Selection read -p " Wallarm Cloud (US/EU) [US]: " CLOUD_SEL - CLOUD_SEL=${CLOUD_SEL^^} - CLOUD_SEL=${CLOUD_SEL:-US} + CLOUD_SEL=${CLOUD_SEL^^}; CLOUD_SEL=${CLOUD_SEL:-US} local nodes_to_test=("${US_DATA_NODES[@]}") [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}") - # 2. Test Wallarm API Endpoints echo " Testing $CLOUD_SEL Cloud Endpoints..." for node in "${nodes_to_test[@]}"; do if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then echo -e " ${GREEN}[PASS]${NC} Reached $node" else - echo -e " ${RED}[FAIL]${NC} Cannot reach $node (Check Firewall/Proxy)" + echo -e " ${RED}[FAIL]${NC} Cannot reach $node" fi done API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com") - # 3. Improved Docker Registry Check (Accepting 401 as 'Reachable') echo -n " Testing Docker Hub Registry Path... " - - # Capture the HTTP Status code specifically REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/") - # 401 (Unauthorized) is the expected response from Docker Hub V2 API for unauthenticated probes if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then REGISTRY_REACHABLE=true - echo -e "${GREEN}REACHABLE${NC} (Status: $REGISTRY_STATUS)" + echo -e "${GREEN}REACHABLE${NC} ($REGISTRY_STATUS)" else REGISTRY_REACHABLE=false - echo -e "${RED}BLOCKED/OFFLINE${NC} (Status: $REGISTRY_STATUS)" - echo -e " ${YELLOW}i${NC} Falling back to local image check..." - + echo -e "${RED}OFFLINE${NC} ($REGISTRY_STATUS)" if ! ls *.tar >/dev/null 2>&1; then - echo -e " ${RED}✗ FATAL: Registry unreachable and no local .tar image found.${NC}" - exit 1 + echo -e " ${RED}✗ FATAL: No registry and no local .tar found.${NC}"; exit 1 fi fi } -# --- 2. ENGINE SETUP (Manual Binary Logic) --- +# --- 2. ENGINE SETUP (Manual Binary Download & Install) --- setup_manual_engine() { - echo -e "\n${YELLOW}[2/5] Hardening Manual Docker Engine...${NC}" + echo -e "\n${YELLOW}[2/5] Setting up Docker Engine (Manual Binaries)...${NC}" - if sudo docker info > /dev/null 2>&1; then - echo -e " ${GREEN}[INFO]${NC} Docker is already active." + if command -v docker > /dev/null 2>&1 && sudo docker info > /dev/null 2>&1; then + echo -e " ${GREEN}✓${NC} Docker is already installed and running." else - if [ ! -f "/usr/bin/dockerd" ]; then - echo -e " ${RED}[FATAL]${NC} Manual binaries not found in /usr/bin/. Move them first."; exit 1 - fi - - echo " Configuring systemd service for manual binaries..." + echo " Docker not found. Proceeding with static binary installation..." + + # Determine Architecture + ARCH=$(uname -m) + BINARY_URL="https://download.docker.com/linux/static/stable/$ARCH/docker-24.0.7.tgz" + + echo " Downloading Docker Binaries ($ARCH)..." + curl -L "$BINARY_URL" -o docker-static.tgz || { echo -e "${RED}Download failed.${NC}"; exit 1; } + + echo " Extracting and moving binaries to /usr/bin/..." + tar xzvf docker-static.tgz > /dev/null + sudo cp docker/* /usr/bin/ + rm -rf docker docker-static.tgz + + echo " Creating systemd service..." sudo tee /etc/systemd/system/docker.service > /dev/null < /dev/null 2>&1 || { echo -e "${RED}Engine failed to start.${NC}"; exit 1; } + echo -e " ${GREEN}✓${NC} Docker Engine manually installed and started." fi } # --- 3. INPUT & WORKSPACE --- get_user_input() { - echo -e "\n${YELLOW}[3/5] Configuration & Workspace Setup...${NC}" + echo -e "\n${YELLOW}[3/5] Configuration Setup...${NC}" - read -p " Enter Instance Number (e.g., 1, 2): " NUM - INSTANCE_DIR="/opt/wallarm/$NUM" - TRAFFIC_PORT=$((8000 + NUM)) - MONITOR_PORT=$((9000 + NUM)) - NODE_NAME="wallarm-node-$NUM" + read -p " Enter Inbound Traffic Port [80]: " IN_PORT + IN_PORT=${IN_PORT:-80} + MON_PORT=$((IN_PORT + 10)) + echo -e " ${YELLOW}i${NC} Monitoring port set to: ${BOLD}$MON_PORT${NC}" + + INSTANCE_DIR="/opt/wallarm/poc_$IN_PORT" + NODE_NAME="wallarm-node-$IN_PORT" read -p " Upstream App IP [127.0.0.1]: " UPSTREAM_IP UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1} - read -p " Upstream App Port [80]: " UPSTREAM_PORT - UPSTREAM_PORT=${UPSTREAM_PORT:-80} + read -p " Upstream App Port [8080]: " UPSTREAM_PORT + UPSTREAM_PORT=${UPSTREAM_PORT:-8080} read -p " Paste Wallarm Token: " TOKEN - # Pre-check internal app reachability - if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then - echo -e " ${RED}[WARN]${NC} VM cannot reach App at $UPSTREAM_IP:$UPSTREAM_PORT. Check networking." + # Port Collision Check + if sudo netstat -tulpn | grep -E ":$IN_PORT |:$MON_PORT " > /dev/null 2>&1; then + echo -e " ${RED}✗ FATAL: Port $IN_PORT or $MON_PORT is already in use.${NC}"; exit 1 fi } -# --- 4. DEPLOYMENT (Replaces Compose) --- +# --- 4. DEPLOYMENT & PERSISTENCE --- execute_deployment() { - echo -e "\n${YELLOW}[4/5] Launching Instance $NUM...${NC}" + echo -e "\n${YELLOW}[4/5] Launching Wallarm Instance...${NC}" sudo mkdir -p "$INSTANCE_DIR" # Nginx Config @@ -141,61 +145,45 @@ server { server { listen 90; location /wallarm-status { wallarm_status on; allow all; } } EOF - # Clean existing - sudo docker rm -f "$NODE_NAME" &>/dev/null - - # Image Source Logic + # Image Logic if [ "$REGISTRY_REACHABLE" = true ]; then echo " Pulling wallarm/node:latest..." sudo docker pull wallarm/node:latest else - echo " Registry blocked. Loading from local .tar..." - sudo docker load < *.tar || { echo "No image found!"; exit 1; } + echo " Registry offline. Loading local .tar..." + sudo docker load < *.tar fi - # Persistent Launch (Manual "Compose" behavior) - sudo docker run -d --name "$NODE_NAME" --restart always \ - -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 \ - -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \ - -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \ - wallarm/node:latest - - # Create a start.sh in the directory for easy manual control later + # The Persistence Script sudo tee "$INSTANCE_DIR/start.sh" > /dev/null </dev/null -sudo docker run -d --name $NODE_NAME --restart always -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" wallarm/node:latest +sudo docker run -d --name $NODE_NAME --restart always \\ + -p $IN_PORT:80 -p $MON_PORT:90 \\ + -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \\ + -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\ + wallarm/node:latest EOF sudo chmod +x "$INSTANCE_DIR/start.sh" + sudo "$INSTANCE_DIR/start.sh" } -# --- 5. ATTACK TEST & VERIFY --- +# --- 5. VERIFY --- verify_and_test() { - echo -e "\n${YELLOW}[5/5] Verification & Attack Simulation...${NC}" + echo -e "\n${YELLOW}[5/5] Final Verification...${NC}" sleep 15 - - if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then - echo -e " ${GREEN}✓${NC} Node Handshake Successful." + if curl -s "http://localhost:$MON_PORT/wallarm-status" | grep -q "requests"; then + echo -e "\n${GREEN}${BOLD}✅ SUCCESS: Wallarm Node is active on Port $IN_PORT${NC}" + echo -e "Monitoring available at: http://localhost:$MON_PORT/wallarm-status\n" + + echo -e "${YELLOW}⚔️ Simulating SQLi Attack...${NC}" + curl -s -o /dev/null -w "Result: HTTP %{http_code}\n" "http://localhost:$IN_PORT/?id='OR+1=1--" else - echo -e " ${RED}✗${NC} Node not responding. Check: sudo docker logs $NODE_NAME" + echo -e "\n${RED}❌ FAILED: Container started but status page is unreachable.${NC}" + sudo docker logs $NODE_NAME | tail -n 5 fi - - echo -e "\n${YELLOW}⚔️ Simulating Attacks...${NC}" - local sqli=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?id='OR+1=1--") - echo -e " SQLi Attack: HTTP $sqli (Logged)" - local xss=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?search=") - echo -e " XSS Attack: HTTP $xss (Logged)" - - echo -e "\n${GREEN}${BOLD}✅ DEPLOYMENT FINISHED${NC}" - echo -e "Instance Path: $INSTANCE_DIR" - echo -e "Traffic Port: $TRAFFIC_PORT" - echo -e "Monitor Port: $MONITOR_PORT" } -# --- EXECUTION --- -check_connectivity -setup_manual_engine -get_user_input -execute_deployment -verify_and_test \ No newline at end of file +# --- RUN --- +check_connectivity; setup_manual_engine; get_user_input; execute_deployment; verify_and_test \ No newline at end of file